Let' Encrypt : The client lacks sufficient authorization

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:landwtools.com

I ran this command:
sudo certbot certonly --agree-tos --email admin@landwtools.com --webroot -w /var/lib/letsencrypt/ -d landwtools.com -d www.landwtools.com
It produced this output:

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
Ubuntu 18.04

My hosting provider, if applicable, is:
AWS EC2

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.27.0

it returns the following error :
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for landwtools.com
http-01 challenge for www.landwtools.com
Using the webroot path /var/lib/letsencrypt for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. www.landwtools.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.landwtools.com/… [44.233.37.200]: “\r\n404 Not Found\r\n<body bgcolor=”“white”">\r\n

404 Not Found

\r\n
", landwtools.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://landwtools.com/.well… [44.233.37.200]: “\r\n404 Not Found\r\n<body bgcolor=”“white”">\r\n

404 Not Found

\r\n
"

IMPORTANT NOTES:

  • The following errors were reported by the server:

Domain: www.landwtools.com
Type: unauthorized
Detail: Invalid response from
http://www.landwtools.com/…
[44.233.37.200]: “\r\n404 Not
Found\r\n<body bgcolor=”“white”">\r\n

404
Not Found

\r\n
"

Domain: landwtools.com
Type: unauthorized
Detail: Invalid response from
http://landwtools.com/.well…
[44.233.37.200]: “\r\n404 Not
Found\r\n<body bgcolor=”“white”">\r\n

404
Not Found

\r\n
"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.

previously, I am okay for the let’s encrypt process with my old elastic IP, and now, when I upgrade my aws ec2 instance, I incorrectly delete my previously associated elastic IP address, so I have to choose a new elastic IP, and then when I re-process the Let’s Encrypt, those error are happened.

Any suugestion for the fix? Thanks in advance

That doesn’t make sense.
The webroot is supposed to match the document root used by the virtual host config file.

Try showing the output of:
nginx -T | grep -Ri 'server_name|root|virtual|listen' /etc/nginx

Hi,

yes, I indeed setup a virtual environment to host my this application landwtools.com
details as per :
https://linuxize.com/post/how-to-set-up-nginx-server-blocks-on-ubuntu-18-04/

I actually learn from following post to process Let’s Encrypton:

Secure Nginx with Let’s Encrypt on Ubuntu 18.04

my odoo 13.0 / landwtools.com application installed on AWS Ubuntu 18.04 is also as per this website at :
https://linuxize.com/post/how-to-install-odoo-13-on-ubuntu-18-04/

Please comment. Thanks.

Hi,

as per my previous explanation, if my host is under a virtual environment, how I amend your following directive :

nginx -T | grep -Ri ‘server_name|root|virtual|listen’ /etc/nginx

Please advise. thanks

Do you have SSH access to the system?
If so, try that command (with sudo in front - just in case)

Hi,

thanks for feedback.
but what’s your this question, and I can not understand this question? can you give more explanation. thanks.

I think have OpenSSH :

when I execute following directive :
$sudo ufw status

it shows :
Status: active

To Action From


Nginx Full ALLOW Anywhere
22/tcp ALLOW Anywhere
8069/tcp ALLOW Anywhere
Nginx Full (v6) ALLOW Anywhere (v6)
22/tcp (v6) ALLOW Anywhere (v6)
8069/tcp (v6) ALLOW Anywhere (v6)

which means I have SSH - 22/tcp

Whether this reply can answer your above question?

Can you explain more about what my this error is about ? what’s the meaning of the error it shows “The client lacks sufficient authorization” from the following screen returns :

Failed authorization procedure. www.landwtools.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.landwtools.com/.well-known/acme-challenge/yHvE_B2gLdXb-2uGku7ro4cKuEOT7X9it4Lp-Xyzyxg [44.233.37.200]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n
”, landwtools.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://landwtools.com/.well-known/acme-challenge/0CNxxlQ8pRE0BKlAArx_gjvdu695pPo53mRdYg26o24 [44.233.37.200]: “\r\n404 Not Found\r\n<body bgcolor=“white”>\r\n

404 Not Found

\r\n

What this mentioned “authorization” means ?

Whether it means my Let’s Encrypt certificate for my landwtools.com?

Previously, I had an old aws ec2 instance for Odoo with all Okay for the Let’s Encrypt process since I can have https connection with my landwtools.com; and then, I change to a total new aws ec2 instance, with new elastic IP associated ( since the old elastic IP associated with previous aws ec2 instance has been deleted by me incorrectly ).

and then when I try to add Let’s Encrypt for this totally new aws ec2 instance, I have current problem.

I guess the Let’s Encrypt certificate/authorization in my previous aws ec2 instance still is kept / held by Let’s Encrypt side, and it is not released to the new installed aws ec2 instance, which need the Let’s Encrypt certificate, so now I have problem for the unauthorization under this new aws ec2 instance; is this guess right?

Please give more explanation and advise. thanks

Hi, another question :slight_smile:

meanwhile, why I can still successfully reach both of my following website pages under current error :

landwtools.com - yes, I can reach
landwtools:8069 - yes, I also can reach my database

I was asking for the output of:
sudo nginx -T | grep -Ri 'server_name|root|virtual|listen' /etc/nginx

That command will filter down the full nginx configuration, showing only lines that contain any of the following (case insensitive):
server_name
root
virtual
listen

this output will produce like a quick index of the whole output (showing us only relevant information).

Ah, now I understand, thanks.

when execute :
sudo nginx -T | grep -Ri ‘server_name|root|virtual|listen’ /etc/nginx

it shows :
nginx: [warn] conflicting server name “landwtools.com” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “www.landwtools.com” on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

and yes, before setup and enable ufw and Nginx, I indeed select to add http in security group while launching the aws ec2 ubuntu 18.04 instance

So now I return to aws ec2 instance console, in security group, I edit to cancel the http selection

then I reload the Nginx
$sudo systemctl reload nginx

but then I lose my connect to : http://landwtools.com
with screen return : ERR_CONNECTION_TIMED_OUT

Do you have other suggestion ? thanks

Step #1
Those conflicts need to be resolved.

thanks
now I realize that Nginx and Apache/Apache2 are conflict
so Nginx should setup without apache
so when I launch aws ec2 instance with security group adding with http, and then I install Nginx, Nginx will have conflict with Apache, is it right ?
Okay, I can launch a totally new aws ec2 instance without http selected at security group, and then I believe this step #1 is solved.
what the next step which need to fix?

If they are both set to use the same port(s) yes that will create a conflict.

But I don’t think the nginx conflict complaint is about not being able to bind to any port.
So that doesn’t seem to be the reason for that nginx compliant.

Are those conflicts caused inside my own system, and should be checked from my own Nginx files ?

or

Are those conflicts cause outside my own system, but from my traditional Let’s Encrypt certificate record for landwtools.com ?

Not from what you’ve shown.

Those should be the exact same file.

Yes.

Yes.

Try showing the relevant sections from the output of:
sudo nginx -T

You can delete all that - not really legible (as is)

Let me make it a bit easier for you:
[baby steps]

Please show the outputs of:
sudo nginx -T | grep -i 'server_name|landwtools|virtual|root|listen'
ls -l /etc/nginx/conf.d/*.conf
ls -l /etc/nginx/sites-enabled/*

I think I caught a glimpse of the problem in there:

configuration file /etc/nginx/sites-enabled/landwtools.com
configuration file /etc/nginx/sites-enabled/landwtools.com.conf

To the untrained eye those two files don’t overlap - one is a .conf and the other is not.
But when the include statement is:

[include anything and everything in that folder]
They both get processed :frowning:

Delete/move one of them.
OR
change
include /etc/nginx/sites-enabled/*;
to
include /etc/nginx/sites-enabled/*.conf;

yes, too much

Ok, I delete those previous sending

now

execute $sudo nginx -T | grep -i ‘server_name|landwtools|virtual|root|listen’

it shows :
nginx: [warn] conflicting server name “landwtools.com” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “www.landwtools.com” on 0.0.0.0:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

execute $sudo ls -l /etc/nginx/conf.d/*.conf

it shows :
ls: cannot access ‘/etc/nginx/conf.d/*.conf’: No such file or directory

execute $sudo ls -l /etc/nginx/sites-enabled/*

it shows :
lrwxrwxrwx 1 root root 34 Sep 14 03:39 /etc/nginx/sites-enabled/default -> /etc/nginx/sites-available/default
lrwxrwxrwx 1 root root 41 Sep 14 03:52 /etc/nginx/sites-enabled/landwtools.com -> /etc/nginx/sites-available/landwtools.com
lrwxrwxrwx 1 root root 46 Sep 14 03:58 /etc/nginx/sites-enabled/landwtools.com.conf -> /etc/nginx/sites-available/landwtools.com.conf

Both are being processed.
You probably meant to use one as a sort-of backup to the other.
If so, just move the “backup” to a /backup folder.
OR
[In the main config file]
change
include /etc/nginx/sites-enabled/*;
to
include /etc/nginx/sites-enabled/*.conf;
[so that only the .conf files are included in the nginx config]